School network here with an old Windows server running DHCP for our 10 VLANs.
Would like to use our PA-3220 firewalls to run DHCP so I can get rid of the old server.
Layer 3 routing happens inside the building network on the top of rack switch (Aruba 6405) DHCP Relay is also enabled on the top of rack switch since the DHCP server is on a separate VLAN to isolate it from other network traffic.
Firewalls are connected via a single interface to the internal network. VLANs are configured on the firewall so it knows about all of them and I have policies enabled to give each VLAN appropriate access to the Internet.
The one document I saw that talked about this issue mentioned creating a virtual router for each scope, but I currently have two virtual routers to enable failover from one ISP feed to another. Wasn't sure how to set up the DHCP scopes without making a mess of the failover VRs.
All suggestions appreciated, even if it's just I should create a case or need to hire a VAR to help me with the config.
the dchp scopes will 'live' inside the same VR the interface it's associated to is bound to, so if you have one primary VR thats attached to all your L3 interfaces (in your case vlan interface) all the subnets will be inside that VR's routing table, you'll just need to account for those routes in the other VR by setting a 'next vr' nexthop
but... i'm wondering what the use case is for having your routing set up on your switches while your firewall only has 1 interface connected and is set to layer2. wouldn't it be more logical to set the fw to L3 and perform routing+DHCP there?
@reaper The use case would be a superscope setup where, for various reasons, you have your routing in a remote location but you want to consolidate DHCP for management. The most obvious examples would be remote branches and instances where you have a large volume inter-network routing traffic but do not need to filter that traffic on the PA (or filter it with a different devices). I have 20 remote branches and dozens of internal networks with PAs standing between the overall network and the internet/VPN tunnels. Branches are connected by a private WAN across multiple routers, internal corporate inter-LAN traffic can exceed 10Gbs (running on a L3 "switch"), neither is terminated on the PA. Instead, I use a common Windows superscope DHCP server with DHCP relaying enabled on the router which terminates the local network, so I can manage all the DHCP in one central location.
Unfortunately, it doesn't look like it is possible to setup a superscope on the PA, each DHCP instance must be bound to a local interface. See this earlier thread reply from PavelK:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!